The IT Department, as we know it today, can no longer address on its own the dynamic exchange of information that takes place in the cyberspace domain. This exchange of information includes benign and malicious traffic. In a paper I wrote some time ago and posted in LinkedIn, I was proposing the creation of the Cyber Security and Intelligence Department to operate side by side with the IT Department to track IP addresses that have unsuccessfully attempted to pass the IDS, traffic that appears normal but in context it shows that it has malicious nature, chatter in the cyberspace domain about the enterprise, its proprietary information and intellectual property, unauthorized disclose of information by employees, and threats against facilities and executives.
The analogy I use is that if I would have told a CEO 40 years ago that he/she would need an in-house attorney, I would have been given the same answer I am getting today when I say “you need a part-time or full-time in-house Chief of Cyber Intelligence” – Answer: Oh, I do not have those kinds of problems. No need for that. No ROI justification.
Well, today, most medium to large businesses have an in-house attorney. :-)
After 11 years of running Meta Intelligence, I have encountered many problems for which I have found solutions; however, this one is puzzling me because I cannot find the way to escape this swirl. I am hoping that some of my readers might have the answer, and also to bring to your attention this swirl that in my humble opinion is causing billions of dollars to the private sector industry.
At one end of the ping-pong table, there is the CEO who knows that he/she has hired the best CIO/CTO/CISO available in the market. CEO has not been informed of any breaches of security in his company so he/she is certain that his/her company is 100% secure.
At the other end of the ping-pong table, there is the CIO/CTO/CISO who knows that technology alone cannot provide a barrier of defense. He/she might be indeed one of the best in the marketplace but does not have the time/knowledge to design and teach a course that addresses the number one point of entry of cyber intrusions: the user of technology.
As of today, 95% of all cyber intrusions have been caused because someone inside an organization clicked on a link that has malicious load, connected an infected computer into the company’s network, traveled to China with the same laptop that then will connect back to the network, clicked on a link sent via txt, and the list goes on and on.
When a vendor, like Meta Intelligence, approaches the CEO with a solution, he/she often replies with one of these two options: 1) I have the best IT department and it has not brought that up as an issue; or 2) I don’t know much about cyber so you better talk to the IT department.
Both answers put the vendor in limbo land because the IT department personnel rarely will admit that they have zero knowledge on how to address user behavior as the number one barrier of defense and they will not approach the CEO requesting assistance and engagement of a third party vendor. The CIO/CTO/CISO is concerned that bringing a third party to solve this problem might get him/her fired for incompetence.
These are companies like HomeDepot, Target, Sony, Domino’s Pizza and many others you have seen in the newspapers and whose CEOs have been forced to resign, or even if remain in the company, they have paid a huge price on loss of revenues.
As of today, a company will pay on average $201 to $206 per employee to recover from a cyber intrusion. However, if the company stops the endless cyber ping-pong of CEO vs IT Department, and brings a good education program on risk management when online, it will save about $150 per employee and fend off 95% of cyber intrusions. Education of the workforce is not sexy but it is very effective. Otherwise, why do you think that you have to sustain the ethic in the workplace training, and the harassment in the workplace training, and some other mandatory training that some industries are required to have in place.
If you are hopefully going to provide cyber behavioral training, and by the way, this is what I have been doing since 2005 when I founded Meta Intelligence, you need to look for programs that do not leave solutions to the user’s imagination because imagination is limited by knowledge. If you, the user, do not know what man-in-the-middle attack is, you will be using free Internet all over the town and airports. Probably, you even attended a cyber security class where the instructor told you “be cautious when you open your email.” What does this type of warning mean to the average user of technology? Duck and cover when clicking on the email? Wear goggles or protective gloves? The average person reads emails on the phone and clicks and clacks on every link that sees floating on the email. Telling this person to be cautious without explaining the step-by-step of email handling is useless.
If you are conscious about overhead spending but want to do an experiment of this nature – investment in education instead of buying the latest “Dr. Techno software that will not let intruders in,” you can take advantage of some of the sites that offer free training, such as the Cybrary - https://www.cybrary.it/ As of today, it has over 600k members and more than 2k topics.
You can learn more about this concept of return on investment by developing strong cyber behavioral habits at: https://www.youtube.com/watch?v=aRXazQuPzFs
So, the question to you, is how do we break this swirl of pushing the education ball from one end of the ping-pong table to the other end? Last year, cybercrime caused the US economy about 24 billion dollars. Wouldn't you rather see that money used in something more useful that enriching the coffers of cyber crooks?
That is all for now. Thank you for reading!
About the Blog
This blog is updated on a bi-weekly basis and it will address a variety of topics concerning cybertechnology, privacy and ethics in the cyberspace domain.